I’ll start by saying I am very new to Docker and am having to learn a lot of things on-the-job, so apologies in advance for badly worded question.
As part of my new role, I have inherited a lot of legacy Docker images (all hosted locally on our Portus server) and have been put in charge of maintaining and keeping them up to date with latest patches.
They all use RHEL for their OS, with various things done to them. I only appear to have the final image, and none of the layers, so my question is:
Whilst I am able to run yum update to get the latest patches for the RHEL version on each image, is there a way for me to do a full upgrade from RHEL 7 to RHEL 8 inside the container, or will I need to start from scratch with a RHEL8 image, and try to rebuild whatever was done for each one?
Hope this makes sense, again, I am new so apologies if the question is not a good one.
I hope the previous maintainer documented his approach well, so you know what he did.
It looks like he builds images from scratch or maybe squashed the final image. I am not entirely sure which one of both it is.
There seem to be no official RHEL base image to be used to build custom images based on it. So he either must have used an already existing base image from a third part or must have indeed build it from scratch.
Usually latest patches come in by using the most recent base image. The reason is that files written in a layer, and deleted or replaced in another layer won’t be deleted in the previous layers. You end up having a bloated image. That’s why doing a full os update in an image is not recommended.
You should really look out for the documentation the previous maintainer did, or if possible ask him directly. Also, you might get lucky searching for projects with “docker” in their name in your corporate git server.
Sadly not, I don’t think there is any documentation.
Looks like everything is squashed.
One of the tasks I have been set is to try and move this into git. As I am the main admin on our git server, I’m 99% sure that they didn’t put any in there.
You could check if the used labels on images to add meta information that might give pointers. Execute docker image inspect ${image id or name} --format '{{json .Config.Labels}} and check the output.
Also, it might be possible he used docker compose to build and deploy the images - if the docker compose version is recent enough, you might see container labels that indicate where the compose file is. `docker container inspect ${container id or name} --format ‘{{json .Config.Labels}}’ and check the output.
If both don’t bring up any details, than you still use docker image history ${image name or id} no-trunc to see what commands are executed to create the image. You could use docker cp to extract files used in COPY instruction from a running container. This approach will be painful, but better than nothing. It’s worth researching, if a tool exists that derives a Dockerfile from an existing image.
